1 / 49

Script Fragmentation Attacks

Script Fragmentation Attacks. PacSec 2008 Stephan Chenette, Security Researcher Websense Security Labs. What am I talking about today. The success of any exploit depends on some basic assumptions: The vulnerable service or application is: Active Accessible The exploit is: Reliable

faye
Download Presentation

Script Fragmentation Attacks

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Script Fragmentation Attacks PacSec 2008 Stephan Chenette, Security Researcher Websense Security Labs

  2. What am I talking about today The success of any exploit depends on some basic assumptions: The vulnerable service or application is: • Active • Accessible The exploit is: • Reliable • Undetected

  3. What am I talking about today This presentation will focus on: Evading detection of the exploit Specifically: A new evasion technique to avoid detection of client-side web exploitation (Browser, ActiveX control, etc bugs)

  4. Why is this important to you • Who I’m assuming you are: • Reporter • Researcher • Security Administrator • Technical Manager • You have an interest in new exploit attacks and evasion techniques and/or protecting an organization

  5. Web threat landscape basics Attack trends have shifted over the years. Intruders are focusing more prominently on the Web Most companies/users don’t block HTTP at the firewall Malicious client-side web attacks are assumed to be protected by desktop or gateway AV/IDS.

  6. Reality check Current Desktop and Gateway AV do not protect against Script Fragmentation attacks.

  7. HTTP client/server communication • GET / HTTP/1.1 • Web Server • Client Browser

  8. HTTP client/server communication • GET / HTTP/1.1 • Web Server • Client Browser

  9. Current desktop/gateway protection Looking at initial content

  10. Current evasion techniques Obfuscated JS code

  11. Successful Evasion… Passing malicious content over the network has a higher chance of evading detection the indistinguishable it is from benign traffic.

  12. Script Fragmentation Script Active Content e.g. JavaScript, VBscript, etc. FragmentationLittle chunks of data Note: The use of AJAX for malicious use was mentioned at Toorcon 2007, but not in the detail I’m about to go in…

  13. Basic recipe Works with no additional mechanisms. Browser JavaScript XMLHTTPRequest This works flawlessly in: Internet Explorer, Firefox, Safari, Opera and Konqeror

  14. Example 1: Basic HTML document <html> <body> <div id=“target” /> </body> </html>

  15. JavaScript DOM manipulation JavaScript has objections/functions to alter the DOM var d = document.getElementById(“target”); var n = document.createElement(“script”); n.text = “alert(‘test’);” d.appendChild(n);

  16. New DOM <html> <body> <div id=“target”> <script> alert(‘test’); </script> </div> </body> </html>

  17. Example 2: Basic HTML document <html> <body> </body> </html>

  18. JavaScript DOM manipulation var text = “alert(‘test’);” eval(text); eval() will execute it’s argument as script code

  19. New DOM <html> <body> </body> </html>

  20. The power of scripting JavaScript will of course also allow us to concatenate multiple strings together. We can then execute the resulting string as code. e.g. var text = “ale” + “rt(“ + “‘te” + “st’” + “);” eval(text);

  21. Dynamic retrieval of data • GET /index.php?q=2+2 “4” • Web Server • Client Browser <script> xmlhttp.open(“GET”, “/index.php?q=2+2”, true); var response = xmlhttp.responseText; </script>

  22. Technology used for good • JavaScript != EVIL • XMLHTTPRequest != EVIL • Benign JavaScript/HTTPXMLRequest technologies: • Gadgets • Widgets • Mashups • Gmail, orkut, facebook, hi5.com, etc use JavaScript and XMLHTTPRequest.

  23. Steps for script fragmentation attack • Store malicious content on server • SERVER: Serve client webpage with script fragmentation decoder routine. • CLIENT: Use XMLHTTPRequest object to request only small chunk of malicious content from server • SERVER: respond with requested chunk of malicious content • CLIENT: Use JavaScript variable to save chunks of data and continue to use JavaScript and XMLHTTPRequest object to request new chunk of data until there is no more data • CLIENT: Execute resulting code once all data is received

  24. Steps in action • Web Server Step 1) Store malicious content on server

  25. Steps in action • Web Server Step 1) Store malicious content on server

  26. Steps in action • <DECODER> • Web Server • Client Browser Step 2) SERVER: Serve client webpage with script fragmentation decoder routine.

  27. Script Fragmentation decoder routine

  28. Steps in action • GET /index.cgi?o=0&rl=3 • Web Server • Client Browser Step 2) CLIENT: use XMLHTTPRequest object to request only small chunk of malicious content from server

  29. Steps in action • “var” • Web Server • Client Browser Step 3) SERVER: respond with requested chunk of malicious content

  30. Steps in action • GET /index.cgi?o=3&rl=3 • “ he” • Web Server • Client Browser • var text = “var he”; Step 4) CLIENT: store chunk and continually request more chunks until there is no more data.

  31. Steps in action • GET /index.cgi?o=6&rl=3 • “apS” • Web Server • Client Browser • var text = “var heapS”; Step 4) CLIENT: store chunk and continually request more chunks until there is no more data.

  32. Steps in action • GET /index.cgi?o=9&rl=3 • “pra” • Web Server • Client Browser • var text = “var heapSpra”; Step 4) CLIENT: store chunk and continually request more chunks until there is no more data.

  33. Steps in action • GET /index.cgi?o=12&rl=3 • “yTo ” • Web Server • Client Browser • var text = “var heapSprayTo”; Step 4) CLIENT: store chunk and continually request more chunks until there is no more data.

  34. Steps in action • Client Browser • // Method 2 • var div = GetElementById(‘target’); var n = document.CreateElement(“script”); n.text = text; div.appendChild(n); • // Method 1 • eval(text); Step 5) CLIENT: execute resulting code once all data is received.

  35. The possibilities Beyond the basic script fragmentation attacc: Randomize sequence of offsets xor/encrypt data Spread data across multiple web servers (botnet) In memory keep string encrypted until the last minute

  36. Options for data transfer XMLHttpRequest is the object to make dynamic remote HTTP request, but there are multiple data formats that may be used for data transfer: RAW XML JSON etc.…

  37. RAW data format • GET /index.cgi?o=0&rl=3&u=guid “var” • Web Server • Client Browser

  38. XML data format • GET /index.cgi?o=0&rl=3 “<Data eof=“0” text=“var” />” • Web Server • Client Browser

  39. JSON data format • GET /index.cgi?o=0&rl=3 “{ eof : “0”, text : “var” }” • Web Server • Client Browser // S = server resp. var data = eval(S); var text = data.text;

  40. Flawlessly works on all major browsers Proof of concept (POC) with debug output

  41. AV won’t detect Script Fragmentations Initial page will hold decoder routine in script tag and then blank body. The file on disk will never change DOM in memory will never change NO SUBSTANTIAL CONTENT TO SCAN AS MALICIOUS!

  42. Proof of concept page

  43. HTML file on disk File on disk is the same before and after C:\Documents and Settings\<USER>\Local Settings\Temporary Internet Files

  44. DOM in memory Method 1: DOM doesn’t change at all

  45. DOM in memory Method 2: Only the DOM has changed

  46. Victory! Script Fragmentation is a very successful evasion attack that current AV desktop and gateway do not detect.

  47. Ending remarks Did I scare you? …sorry. This attack is still a few years away We haven’t seen this in the wild Obfuscation still the biggest problem

  48. Possible solutions Detecting the decoder routine Detecting network anomalies Using a “feedback loop” and executing in remote location. Browsers add protection? Perhaps Functionality over Security wins here though.

  49. Thank you. Any questions? Stephan Chenette, Websense Security Labs schenette@websense.com Check out our website and blogs http://securitylabs.websense.com/content/blogs.aspx http://securitylabs.websense.com/

More Related